Windows HCP Flaw: What You Need to Know

Testing

The person who found this bug provided a couple sample exploits. You can verify that disabling the HCP protocol prevents the problem by running these tests before and after.

Windows XP users running Internet Explorer version 7 can click on the link below to test the vulnerability.

http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/starthelp.html

If the Windows calculator starts, the computer is vulnerable.

Windows XP users running Internet Explorer 8 and Windows Media Player 9 can click on the link below to test the vulnerability.

http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/launchurl.html

Again, if the Windows calculator starts, the computer is vulnerable. If a later version of Media Player is installed, this is not a valid test.

According to the developer:

Some minor modifications will be required to target other configurations, this is simply an attempt to demonstrate the problem ... Additionally, my demonstration is not intended to be stealthy, a real attack would barely be noticeable to the victim ... Browsers are useful to demonstrate the problem, but there are certainly other attack vectors, such as MUAs, documents, etc. Protocol handlers are designed to be used across applications.

Also note that while antivirus/anti-malware software on your computer may detect these particular examples as malicious, that does not necessarily mean that it offers full protection.

To insure that the registry update to disable the HCP protocol is really doing its job, you may want to disable your antivirus software, run the test to see the Calculator being invoked, run the fix, then run the test again to insure the Calculator does not run.

Disabling the Underlying Service

Finally, there is yet another way to work around this problem, prior to Microsoft's offering a fix - disable the underlying Help and Support service.

I ran across this on a computer of mine while running one of the above tests, before disabling HCP. On that machine, I had already disabled the service since I rarely use the Help and Support Center. IE7 warned that the service needed to be started and the Calculator never ran.

This solution is not suggested by Microsoft, so it's not appropriate as your only defense. But, it makes a good second defensive tactic.

Interestingly, while having the service disabled did prevent the test exploit, merely stopping the service did not. That is, with the service configured for a manual startup, the exploit test was able to start the service and run the Calculator. But even disabling the Help and Support service may not be a rock solid defense, I have seen software start a service that was disabled.

To be clear, if the HCP protocol is disabled, the computer is protected even if the Help and Support service is running.

As with updating the registry, modifying the state of a service requires administrator level authority.

Again, anyone running Windows 7, Vista, 2000 or Server 2008 is fine. The problem with the HCP protocol only affects Windows XP and Server 2003.

Subscribe to the Best of TechHive Newsletter

Comments